Earlier this year, WhatsApp faced an outcry from customers and policymakers alike after a routine privacy update revealed (or resurfaced) the extent to which users’ contact data can legally be shared with parent company Facebook. This could cause legal difficulties for employers in future, a data protection lawyer has told Tech Monitor: if workers use WhatsApp to contact customers, the door is open for WhatsApp to share those contacts with Facebook without their consent.
WhatsApp is the world’s most popular messaging app – and usage has spiked during Covid-19 lockdowns. A study by market researchers Kantar found that WhatsApp usage grew by 40% globally in the first lockdown.
According to Toni Vitale, partner and head of data protection at JMW Solicitors, the policy update in 2016 allowed it to share with Facebook “a list of your phone numbers that you have on your device and other people’s phone numbers that are stored in your address book and your profile, those profile pictures, status messages that you might post and also diagnostic data that they gather from app logs”.
Consent not obtained from the client
An employee using WhatsApp “probably won’t understand that you’re giving consent for everyone in your address book’s data to be passed to Facebook,” says Vitale. “There are quite a few privacy issues in relation to this.”
He adds: “If I’m doing that as an employee of a company, my firm could be vicariously liable for me, particularly if I’m doing that in the course of my normal business, not having asked the client for consent. My employer is going to have deeper pockets than me and therefore is more likely to be a target for someone bringing an action in.”
WhatsApp parent Facebook told Tech Monitor that “WhatsApp does not share your WhatsApp contacts with Facebook or any other members of the Facebook Companies for use for their own purposes and there are no plans to do so”.
The issue, says Vitale, is that nothing is stopping them from doing so legally.
“I think it’s fair to say that 2021 is a different privacy landscape to 2016,” says Vitale. “Whereas in the past, users were happy to trade access to their personal information for services which are free at the point of use, now I don’t think people are willing to make that trade.”
The change is in part due to the EU’s data protection regime GDPR. “Throughout the world, not just in the EU, [GDPR has] raised privacy and data protection higher up on people’s agenda,” says Vitale.